OSSA-2013-028: Unintentional role granting with Keystone LDAP backend¶

Date:: October 30, 2013
CVE:: CVE-2013-4477

Affects¶

Keystone: All supported versions

Description¶

The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn’t have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.

Patches¶

https://review.openstack.org/#/c/53146 (Grizzly)
https://review.openstack.org/#/c/53154 (Havana)
https://review.openstack.org/#/c/53012 (Icehouse)

Credits¶

The IBM OpenStack test team from IBM (CVE-2013-4477)

References¶

https://launchpad.net/bugs/1242855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477

OSSA-2013-028: Unintentional role granting with Keystone LDAP backend